CVS update: samba/source/nsswitch

Andrew Bartlett abartlet at samba.org
Mon Jun 23 02:36:53 GMT 2003 

On Mon, 2003-06-23 at 12:01, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 22 Jun 2003, Andrew Bartlett wrote:
> 
> > Yes, but 3.0 does ADS connections - those servers won't be affected by a
> > negative netbios name cache.  (And yes, I've seen that code improving
> > very nicely over the last little bit).
> 
> we have a winbindd_domain* that stores the last NTSTATUS returned.
> If the server is down, then this can just be set to 
> NT_STATUS_SERVER_DISABLED.  We can just modify the ads code to store 
> NT_STATUS_SERVER_DISABLED in the domain structure instead of relying on 
> the sequence number being set to DOM_SEQUENCE_NONE.  That's trivial.
> 
> However, there is no place that checks for a return code of 
> NT_STATUS_SERVER_DISABLED.  So I really fail to see the difference
> in returning NT_STATUS_ACCESS_DENIED or NT_STATUS_SERVER_DISABLED.

Sorry, I thought we had some code to back-off reconnecting to the server
in wcache_server_down() (to prevent hammering it continuously  - and the
resultant timeouts).  

That is something that I would like the ADS code to do in future - but
probably should be done independently in both back-ends.

> > > This code has been running well for several months now through a barrage 
> > > of failover test.
> > 
> > Including ADS failover?
> 
> Have you run the new code?  Or are you just asking theoretical questions?
> The code was effectively a rename of the uni_group cache + storing
> return codes in the winbindd_domain* structure.  Give me a specific
> thing that broke and I'll fix it.

Just the way the patch read, it looked like a very nice port of
functionality from APPLIANCE_HEAD, but seemed to ignore the presence of
the ADS code in 3.0.  Now on reading the patch it looks sane for both
RPC and ADS, but the claim that it had been tested for 'several months'
on ADS seemed odd, that's all.

> > Just watch out, we can mix the RPC backend with kerberos logins under
> > some strange situations.
> 
> Again, do you have a specific comment?  Or just a be careful?

Just don't assume that Active Directory implies sane combinations of
login semantics, that's all.

We do have a number of things we need to clean up in our ADS code to
make it match the new stuff this patch introduces.

This late in the game toward 3.0 I'm trying to be really careful about
the code I put in, and I certainly don't want to sit on my hands if I
think there is something that might have been missed, that's all.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030623/6b988dae/attachment.bin

More information about the samba-technical mailing list